Didier Stevens

Wednesday 11 July 2018

New Tool: file-magic.py

Filed under: Announcement,My Software — Didier Stevens @ 0:00

I find the *nix tool file very useful. There’s no equivalent on Windows, that’s why I use a Windows port of this tool.

But it has some limitations, the most annoying to me being the lack of support for stdin. This prevents me from using it in a chain of commands.

That’s the main reason I developed file-magic.py, a Python tool that is essentially a wrapper for the Python magic module.

On Windows and OSX, install module python-magic-bin with pip (this will install binaries too), while on Linux install module python-magic.

Here is an example showing how output from base64dump is piped into file-magic:

And here is an example with jsonoutput I mentioned before:

You can also add your own definitions to file file-magic.def.

For example, I added a definition for VBE/JSE files (encoded .vbs/.js scripts).

file-magic_V0_0_2.zip (https)
MD5: EAE684E74731FF493D5EC5D243EB16B6
SHA256: 9B0E7B47CAED8F5627DEFCE19B737554BBF998EF380187D6DE4FC1C9572EC9ED

Monday 9 July 2018

–jsonoutput

Filed under: My Software — Didier Stevens @ 0:00

My oledump.py and zipdump.py tools have a new option: –jsonoutput. With this option, my tools will output JSON data to stdout. For oledump, the JSON data will contain the content of all the streams found inside the analyzed OLE file, and for zipdump respectively, the JSON data will contain the content of all the files found inside the analyzed ZIP file.

This is meant to be piped into a new tool I will release soon.

Let’s take a small ZIP files with 2 small files as example (a binary file and a text file). Here is the content displayed with zipdump:

With zipdump’s option –jsonoutput, we output JSON data with the content of these 2 files encoded in BASE64:

Here is the same data pretty-printed:

This can now be piped into other tools that support this JSON data format.

 

Sunday 8 July 2018

Update: oledump.py Version 0.0.36

Filed under: My Software,Update — Didier Stevens @ 0:00

I was a bit too quick with my release for –jsonoutput, I made yet some more changes in version 0.0.36 now.

oledump_V0_0_36.zip (https)
MD5: D8C9FBFD1AA2238D6EB3CA164EE91A65
SHA256: BE609FD0D976984A8856939B76D7DF54AB5ED4934F58F7AD47E4D6E42CDFCCBF

Update: zipdump.py Version 0.0.14

Filed under: My Software,Update — Didier Stevens @ 0:00

I was a bit too quick with my release for –jsonoutput, I made yet some more changes in version 0.0.14 now.

zipdump_v0_0_14.zip (https)
MD5: FB7D1A9F90E8453DF7F3154EC52AF4E7
SHA256: ADFF99677DB512A27EBDEBBAC77FA08FFF8B180EF620CB6F9725C06511FC38BF

Saturday 7 July 2018

Update: zipdump.py Version 0.0.13

Filed under: My Software,Update — Didier Stevens @ 0:00

This update introduces option -j (–jsonoutput) to zipdump.py. Soon I will explain how to use this option together with a new tool I will release soon.

zipdump_v0_0_13.zip (https)
MD5: 264D32D0DC863FC29FED161D4A73560F
SHA256: 14D11D5244973A484E5754F20747D4B544C228AC951C885FE8B9FC6D26C86088

Tuesday 3 July 2018

Update: oledump.py Version 0.0.35

Filed under: My Software,Update — Didier Stevens @ 0:00

This updated brings some changes to option -j (–jsonoutput), an option introduced with version 0.0.33. Soon I will explain how to use this option together with a new tool I will release soon.

oledump_V0_0_35.zip (https)
MD5: 2089AFC496FFE2E44F67CF9C44EB101B
SHA256: C232282BD8AE050EECA1455E6A58EAB8D5CBBDF0D61E9FE2077CDA3DEB15D325

Sunday 1 July 2018

Update: re-search.py Version 0.0.11

Filed under: My Software,Update — Didier Stevens @ 13:28

This new version of re-search.py comes with a new option: -e. This option instructs re-search to read its input as a binary file and extract strings from it, to be matched with the chosen regular expression. This allows, for example, the processing of UNICODE strings.

re-search_V0_0_11.zip (https)
MD5: 72F160A83E214351162704EB4B94EB9E
SHA256: 624E2864738008F6A63CC4E3F7B5FCB3738389DBC7E6EF29BC8C2F749ABAD9DE

Friday 29 June 2018

Update: re-search.py Version 0.0.10

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of re-search.py comes with 3 new regular expressions in its library:

  • email-domain
  • url-domain
  • onion

Regular expressions email-domain and url-domain match exactly like regular expressions email and url, however, the output is just the domain, not the full email/url.

Regular expression onion matches onion addresses.

I use url-domain to make a list of unique domain names for all the URLs found inside a document. Compare the output for url and url-domain:

re-search_V0_0_10.zip (https)
MD5: A4A22FBA70990B57C811DD290C6F0DAA
SHA256: BF5084E4CE7A528AB2701D5AAA6C7366A3A43B8768C712263133A6E302569E86

Wednesday 27 June 2018

Quickpost: Decoding Certutil Encoded Files

Filed under: My Software,Quickpost — Didier Stevens @ 0:00

As I showed a colleague, it’s easy to analyze a file encoded with certutil using my base64dump.py tool:

Just use option -w to ignore all whitespace, and base64dump.py will detect and decode the base64 string.

As can be seen in the screenshot, it’s a file starting with MZ: probably a PE file.

We can confirm this with my YARA rule to detect PE files:

Or use pecheck.py:

 


Quickpost info


Tuesday 26 June 2018

Update: zipdump.py Version 0.0.12

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version adds option -t (translate), like some of my other tools. This option can be used to specify a codec when dumping the content of a file.

Here I used it to dump a Unicode file for a page of an XPS document:

zipdump_v0_0_12.zip (https)
MD5: 7110FB8B873BFDCF10E4A1C2AB89ACC2
SHA256: EA2D852C132DEF7947EBA0FFDB3E4CC8C69032413D36E67BBB3F943FA7B44B18

Next Page »

Blog at WordPress.com.